This post is the result of collaborative work between the Parity Security team and Security Research Labs.
We would like to describe the role of the Alpha Program within the blockchain ecosystem and highlight its impact in promoting a stronger security posture.
The role of the Alpha program for the Polkadot community
The Alpha Program by Parity, previously known as the Substrate Builders Program, was created to drive the evolution of Polkadot and to aid new projects in taking their ideas to the market. It serves as a catalyst for decentralized development by providing resources, fostering collaboration, and supporting projects at various stages within the Polkadot ecosystem.
One of Alpha’s main goals is to promote the security well-being of the Polkadot blockchain community. The initiative helps projects within the ecosystem mature their security posture by offering tooling-assisted assessments of the project’s code base. The assessments are performed by Security Research Labs (SRLabs), a leader in blockchain security known for its engagement in building resilience against real-world cybersecurity threats through ethical hacking and consulting. During the assessments, SRLabs identified common vulnerabilities in the participants’ code base and helped rapidly address the flaws through remediation suggestions (see Figure 1 for more details on the overall process).
Figure 1: The process behind the Alpha security assessments
The role of the Parity Security Team
The Parity Security Team leads the security initiatives within the Polkadot ecosystem (e.g., the Alpha program, Parathreat), while also dealing with security vulnerabilities in Parity software and overseeing the Parity Bug Bounty Program (in case you ever wondered who handles all the security-related emails sent by community members!).
The Parity Security Team serves the community by minimizing risks, providing timely information, delivering vulnerability fixes and mitigations required to address security issues, and creating ample learning opportunities. For example, Parathreat, the security wargame, is a must for anyone looking to increase their understanding on how to fix security flaws in parachains, pallets, and nodes within the Polkadot SDK.
Security insights gained and shared with the community in the past
In 2022 and 2023, the Substrate Builders Program, now known as the Polkadot Alpha Program, performed 36 security reviews in cooperation with SRLabs. These assessments were conducted in the form of one-week-long testing phases and resulted in the identification of 137 security vulnerabilities within 63 parachains. Among them, SRLabs auditors identified 22 critical severity and 37 high severity issues. They range from reachable panics, arithmetic findings, and misconfigurations to benchmarking issues and memory vulnerabilities. You can see an overview in Figure 2.
Figure 2: The Substrate Builders Program found these 137 flaws in 2022-2023
The initiative supported parachain developers in identifying security flaws before they spiralled into fully developed incidents. It is commonly known within the blockchain community that vulnerabilities not only have a security impact but also reputational and financial consequences (we’ll get into these in the next section) that can break projects and weaken entire ecosystems. This initiative created room for a positive learning experience both for the auditors and the parachain developers, paving the way towards a stronger and more secure blockchain ecosystem.
Security insights gained and shared in 2024
In 2024, insights from the Alpha program results indicate that more than half of the participants demonstrated severe deviations from security best practices in their code base, where the SRLabs auditors discovered either a high number of issues or at least one high or critical severity vulnerability. In particular, major gaps were revealed within 7 projects, while the other 4 exhibited minor deviations from security best practices.
Additionally, the results fit into a clear trend where the more common types of vulnerabilities identified are benchmarking and misconfiguration issues. Eleven parachains and a retest went through dynamic testing and static analysis for 12 months in the same format as in previous years. In total, the one-week-long assessments resulted in the discovery of 41 security vulnerabilities, including 29 high severity flaws (see Figure 3 for more details on the issue types).
Figure 3: The Alpha program found these 41 flaws in 2024
As reported by specialized publications (such as rekt or web3isgoinggreat), the exploitation of logic bugs in blockchain projects regularly results in thousands or even millions of dollars stolen from projects and users. For example, a chain with a market capitalization of 1 million $/¥/€ that gets its treasury looted through the exploit of an integer overflow could result in hundreds of thousands $/¥/€ being lost by the stakeholders and flowing into shadowy hands. This highlights that a non-trivial portion of the bugs reported by this program could have ended in similar scenarios, specifically those related to integer overflows, resulting in potentially catastrophic logic bugs, and the chain misconfigurations leading to waived fees for heavy tasks.
Future developments
We would like to solidify the impact of the Alpha program moving forward and continue jointly promoting a better security posture for the Polkadot ecosystem. Here are some plans how to do so:
1. Awareness trainings
The Alpha program, Parity Security, and SRLabs will organize awareness trainings on the most common vulnerabilities within the Polkadot ecosystem. This way, projects will have the time and knowledge to focus on preventing the inclusion of typical flaws during the development phase instead of mitigating them after they have sneaked into the code base and become security incidents. It’s the proverbial ounce of prevention…
2. Documentation of countermeasures
To further address the gap, the Parity Security Team will promote the creation of easy-to-follow security documentation so that each new project can efficiently implement remediations and mitigations. This will ensure a baseline security maturity for Substrate-based projects, saving time and diminishing frustration.
Just like the OWASP Top 10 list for web applications, there has been a similar list of relatively common security flaws defined specific to Substrate or Polkadot. Some useful resources are already available, such as this initial list of common vulnerabilities created by Parity Security to raise awareness ([1]). However, with SRLabs auditors discovering new threats with each new security engagement, the list has since been revised.
Parity Security and SRLabs will join efforts and share the findings with the community. This will be done in a series of posts on Substrate top 10 vulnerabilities and their mitigations. It will build on the traditions of the Parity Blog, Parity’s technical roadmap, and a major source of inspiration on all things Polkadot & Substrate ecosystem, and include insights from sub0, the flagship Polkadot developer conference.
These posts will be beginner-friendly, hands-on guides containing many practical examples. They will showcase that developing with security in mind is both necessary and feasible. We have already gathered a list of topics inspired by the issue trends extracted from the audits:
#1: Runtime misconfiguration
#2: Incorrect benchmarking
#3: Reachable panics
#4: Unsafe arithmetic and conversion
#5: Insecure cryptography
#6: Storage exhaustion
#7: Abusable unsigned and free calls
#8: Outdated crates
#9: Faulty handling of consumers/providers/sufficients
#10: Incorrect slashing logic
(Note that items 8–10 aren’t currently covered by security tests performed in the scope of the Alpha program though)
In summary, the Alpha program, created by Parity and supported by the Parity Security Team, provides useful services to the Polkadot blockchain community. After gaining momentum in the last couple of years, the time has come to reach new heights. We are looking forward to taking you along!